8.1.1
8.1.0
CVE-2020-26214 describes an Authentication Bypass vulnerability in Alerta Server. This allows attackers to potentially bypass LDAP authentication by providing an empty password, particularly in environments where LDAP servers permit unauthenticated binds. The vulnerability affects versions of Alerta Server up to and including 8.0.3. A fix has been implemented in version 8.1.0.
The primary impact of CVE-2020-26214 is unauthorized access to the Alerta Server. An attacker who can bypass LDAP authentication can gain access to sensitive data and potentially compromise the entire system. This could involve modifying alert configurations, creating or deleting users, and disrupting monitoring operations. The vulnerability is particularly concerning because it leverages a misconfiguration on the LDAP server side, rather than a flaw within Alerta Server itself. Exploitation requires the LDAP server to be configured to allow unauthenticated binds, a common default setting on Active Directory installations.
CVE-2020-26214 was publicly disclosed on November 6, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, likely due to the requirement of a specific LDAP server configuration.
Organizations using Alerta Server for incident monitoring and alerting, particularly those relying on LDAP for authentication and using default Active Directory configurations, are at risk. Shared hosting environments where LDAP server configurations are managed centrally are also potentially vulnerable.
• python / server:
# Check Alerta Server version
alerta-server --version• python / server:
# Check LDAP configuration in alerta.yml for allow_empty_password
grep -r 'allow_empty_password' /etc/alerta/alerta.yml• generic web:
# Attempt authentication with an empty password and check for 401 Unauthorized
curl -u '' http://<alerta_server_ip>/auth/logindisclosure
エクスプロイト状況
EPSS
89.46% (100% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2020-26214 is to upgrade Alerta Server to version 8.1.0 or later, which includes a fix that returns an HTTP 401 Unauthorized response for empty password authentication attempts. If upgrading is not immediately feasible, LDAP administrators can implement a workaround by disallowing unauthenticated bind requests from clients. This can be configured within the LDAP server itself. Monitor LDAP logs for unusual authentication attempts, particularly those with empty passwords. After upgrading, confirm the fix by attempting authentication with an empty password and verifying that it results in a 401 Unauthorized response.
Alertaをバージョン8.1.0以降にアップデートしてください。代替案として、LDAP管理者はLDAPサーバーの設定でクライアントからの認証されていないバインドリクエストを無効にすることができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-26214 is a critical vulnerability in Alerta Server versions up to 8.0.3 that allows attackers to bypass LDAP authentication by providing an empty password if the LDAP server permits unauthenticated binds.
You are affected if you are using Alerta Server version 8.0.3 or earlier and your LDAP server allows unauthenticated bind requests.
Upgrade Alerta Server to version 8.1.0 or later. Alternatively, configure your LDAP server to disallow unauthenticated bind requests.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-26214.
Refer to the Alerta GitHub pull request for details: https://github.com/alerta/alerta/pull/1345
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。